We've been using the old Sun Directory Server (DSEE7) for a long time and have had
things working in such a way that when a user on linux or windows locks the account after
so many failures, neither windows nor linux will allow them to log in.
The way that was done was to modify the samba source code (in lib/smbldap.c) to point the
SambaKickoffTime variable to pwdaccountlockedtime from the LDAP server. This worked.
We want to move to the 389 directory server and perform the same function, but I'm
having some issues. The pwdaccountlockedtime isn't there anymore. When the account
locks, I see that we have the accountunlocktime attribute being set.
Unfortunately, I can't use that field for samba since it's looking for unix time
in seconds. The default value of accountunlocktime is Jan 1 1970, so samba thinks that
this is some date in the year 600,000+.
So, are any of the following things possible? If so, how can I do it?
1) When an account locks out on the DS, automatically set the SambaKickoffTime attribute
in DS to the current time in seconds
2) Change the default value of accountunlocktime to 00000000000000Z instead of 1970....
3) Change the format of the sambakickofftime inside of samba so that it will acknowledge
what the DS offers it.
4) Some other way to get samba to acknowledge that account cannot login automatically upon
lockout from DS.
Thanks for your help.
Show replies by date